• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Startup Hero

The Official Blog Of Name Hero

Learn To Fly Above The Competition Get Started
  • HomeWelcome
  • CoursesVideo Training Center
  • About UsWhat is StartupHero?
  • BlogGet the latest
  • Start HereStartup 101
  • SpeakingPodcast & Media
  • ResourcesTools to help You
    • Reselling WordPress Hosting
    • Resell Hero
    • How To Start A Blog
  • NameHeroCloud Web Hosting

The RIGHT Way To Block PHP Files in Wp-Includes In WordPress

By Bhagwad Park on May 11, 2020 1

The RIGHT Way To Block PHP Files in Wp-Includes In WordPress

NameHero has a partnership with DropMySite to backup your website on a daily basis. One of the advantages of this, is that it allows you to see which files are modified – particularly, the error logs can be quite useful. Recently, this allowed me to isolate a recurring error logged in a “php_errorlog” file that looks like this:

Error Thrown in module.audio.ac3.php
Error Thrown in module.audio.ac3.php

As you can see, my site WP-Tweaks was throwing an error that said:

“Uncaught Error: Class ‘getid3_handler’ not found” in the file “module.audio.ac3.php”. Doing a Google search for the result, leads to this bug report page, which suggests a fix for WordPress users by securing the .htaccess file to disallow direct PHP execution in the wp-includes folder. Unfortunately, the page located here doesn’t fix the problem. Specifically, this line:

RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]

Only blocks PHP files directly inside the wp-includes folder. It doesn’t block files inside the sub folders. To do that, the line needs to be:

RewriteRule ^wp-includes\/.*\.php$ - [F,L]

Creating .htaccess Rules to Protect ALL PHP Files in Wp-Includes

To test this regex expression check out this amazing tool regex101.com – I’ve saved the modified regex so you can see how it blocks PHP files both directly inside wp-includes, as well as subfolders:

New Regex Blocks all PHP Files
New Regex Blocks all PHP Files

You can also see that it doesn’t block other files like CSS files that might need to be called directly. Only PHP files, as expected.

For reference, the previous regex as given on the WordPress support pages doesn’t block all PHP files. Here’s a screenshot of the old regex:

Old Regex Not Blocking the First Line
Old Regex Not Blocking the First Line

You can see that while this regex matches “somephpfile.php” directly inside wp-includes, it doesn’t match the file that actually caused the error – wp-includes/ID3/module.audio.ac3.

Final .htaccess Code

So here’s the modified code that you need to insert into the top lines of .htaccess OUTSIDE the #Begin WordPress tags:

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes\/.*\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

If you paste this code, it’ll keep your wp-includes folder secure. Anyone who tries to access a file inside it will get a “403” Forbidden message like this:

Direct PHP Access Blocked
Direct PHP Access Blocked

And that’s it!

Bottom Line

To draw the attention of the WordPress community to this problem, I posted a note on the forums. The moderator replied back saying that there was no problem if you wanted to block all PHP code like this. Even though he said that it wasn’t necessarily a security concern, he mentioned there might be future problems if someone were to hack your site and run the malicious PHP files.

So better safe than sorry right?

Bhagwad Park Profile Picture
Bhagwad Park

I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!

Reader Interactions

Comments

  1. kristina ponting says

    September 30, 2022 at 6:48 am

    I works very well – made it on my blogs:)

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Connect With Us!

Superhero Resources

Fix Common Issues

  • How To Setup Free And Automatic SSL Certificates
  • How To Setup Cloudflare With Railgun
  • How To Fix Memory Exhausted Errors In WordPress
  • How To Edit PHP Version/Upload Limit/Add Extensions
  • How To Move/Migrate Your Business To Name Hero

Free Guides

  • How To Setup NameHero Hosting
  • How To Create A Web Hosting Business With WordPress
  • How To Start A WordPress Blog
  • How To Migrate WordPress To A VPS
  • How To Speed Test And Optimize Your WordPress Website
  • Magento 2.X Installation Guide
  • How To Clean Up A WordPress Hack

Training

Recent Posts

  • The Best WordPress Plugin To Combat Plagiarism
  • Is It Time to Bring Back Blog Comments?
  • Two Filters That No Longer Work In Gutenberg (And Workarounds)
  • Migrating To The New Cloudflare Managed Rules Interface
  • How To Sort Posts By The “Last Modified” Date
  • How To Make WordPress Send E-mail From Another Address
Subscribe in a reader
  • Web Hosting
  • WordPress Hosting
  • Reseller Hosting
  • VPS Hosting
  • Twitter
  • Facebook
  • LinkedIn
  • YouTube
  • FTC Disclosure
  • Earnings Disclosure
  • Privacy Policy

Copyright © 2023 · Smart Passive Income Pro on Genesis Framework · WordPress · Log in